CI: add least-privilege permissions to GitHub Actions workflows#72
Conversation
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
Add explicit workflow-level permissions blocks to resolve CodeQL actions/missing-workflow-permissions alerts. Scopes are derived from workflow operations (git push, artifact upload, Danger, release lanes). Refs: APPSEC-164
|
Warning Review limit reached
Next review available in: 9 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughNine GitHub Actions workflows now define explicit top-level ChangesWorkflow Permissions Hardening
Estimated code review effort: 1 (Trivial) | ~5 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Warning Review ran into problems🔥 ProblemsGit: Failed to clone repository. Please run the Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 4
🧹 Nitpick comments (2)
.github/workflows/release-publish.yml (1)
6-8: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winScope
contents: writeto thereleasejob only.The
merge-main-to-developjob usesADMIN_API_TOKENfor both checkout and all git operations (lines 40, 47), so it does not needcontents: writeon the ActionsGITHUB_TOKEN. Workflow-levelcontents: writeunnecessarily grants write access to that job. Consider moving the permission to thereleasejob and using a more restrictive workflow-level default.zizmor also flagged this as
excessive-permissions.🔒 Suggested refactor: job-level permission scoping
permissions: - contents: write + contents: read jobs: release: name: Publish new release runs-on: macos-15 + permissions: + contents: write steps:🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/release-publish.yml around lines 6 - 8, The workflow currently grants `contents: write` at the top level, which gives unnecessary write access to every job. Move that permission to the `release` job in `release-publish.yml` and make the workflow-level permissions more restrictive so `merge-main-to-develop` only uses `ADMIN_API_TOKEN` for checkout and git operations. Use the `release` job as the only place that needs `contents: write`, and keep the rest of the workflow scoped to the minimum required permissions.Source: Linters/SAST tools
.github/workflows/release-merge.yml (1)
9-12: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winDowngrade
contentstoreadin.github/workflows/release-merge.ymlactions/checkoutis the only step using the defaultGITHUB_TOKEN, and the merge step overrides it withADMIN_API_TOKEN, socontents: readshould be enough.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/release-merge.yml around lines 9 - 12, The workflow permissions are too broad because the release-merge job only needs read access to repository contents. Update the permissions block in the release merge workflow to use read for contents while keeping pull-requests read, since actions/checkout is the only step using GITHUB_TOKEN and the merge step already uses ADMIN_API_TOKEN. Locate the permissions section in the release-merge workflow and adjust it there.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/cron-checks.yml:
- Around line 18-21: The workflow permissions include an unnecessary actions:
write scope; update the permissions block in cron-checks.yml to keep only the
access needed by the job, since upload-artifact does not require the Actions API
scope. Check the workflow steps that use actions/upload-artifact@v4 and remove
actions: write unless another step explicitly needs to manage artifacts through
the Actions API/UI.
In @.github/workflows/sdk-size-metrics.yml:
- Around line 15-18: The workflow permissions block is missing the `actions:
write` scope required by the `ci-guard` step, so add that permission alongside
the existing `contents` and `pull-requests` access. Update the permissions in
the `sdk-size-metrics` workflow where the `ci-guard` composite action is used so
its `gh run cancel` call can succeed under the default `GITHUB_TOKEN`, matching
the permissions used in `smoke-checks`.
In @.github/workflows/smoke-checks.yml:
- Around line 27-31: Update the permissions block in the smoke-checks workflow
to align with ci-guard’s documented requirements: keep actions: write for the gh
run cancel path, but change pull-requests in the permissions for the workflow
that invokes the ci-guard composite action to read instead of write. Use the
existing permissions stanza in the workflow as the target, and ensure the change
matches the ci-guard action’s documented token scope.
In @.github/workflows/sonar.yml:
- Around line 15-17: The workflow token permissions are missing the access
needed for the GitHub Actions API calls used by the sonar workflow. Update the
permissions block in the workflow so it includes actions: read alongside
contents: read, ensuring the steps that use gh api and gh run download can
access artifacts and run data correctly.
---
Nitpick comments:
In @.github/workflows/release-merge.yml:
- Around line 9-12: The workflow permissions are too broad because the
release-merge job only needs read access to repository contents. Update the
permissions block in the release merge workflow to use read for contents while
keeping pull-requests read, since actions/checkout is the only step using
GITHUB_TOKEN and the merge step already uses ADMIN_API_TOKEN. Locate the
permissions section in the release-merge workflow and adjust it there.
In @.github/workflows/release-publish.yml:
- Around line 6-8: The workflow currently grants `contents: write` at the top
level, which gives unnecessary write access to every job. Move that permission
to the `release` job in `release-publish.yml` and make the workflow-level
permissions more restrictive so `merge-main-to-develop` only uses
`ADMIN_API_TOKEN` for checkout and git operations. Use the `release` job as the
only place that needs `contents: write`, and keep the rest of the workflow
scoped to the minimum required permissions.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 1fdd4673-6662-41ac-bc2d-33b4b8c37f55
📒 Files selected for processing (9)
.github/workflows/cron-checks.yml.github/workflows/release-merge.yml.github/workflows/release-publish.yml.github/workflows/release-start.yml.github/workflows/sdk-size-metrics.yml.github/workflows/smoke-checks.yml.github/workflows/sonar.yml.github/workflows/testflight.yml.github/workflows/update-copyright.yml
Public Interface🚀 No changes affecting the public interface. |
SDK Size
|
|



Summary
permissionsblocks to workflow files flagged by CodeQL.actions/missing-workflow-permissionsalerts.Linear
Test plan
Summary by CodeRabbit